💌 TryHackMe Writeup: Love Letter Locker – Accessing Other Users' Letters



💌 TryHackMe Writeup: Love Letter Locker – Accessing Other Users' Letters

Platform: TryHackMe
Room Name: Love Letter Locker
Category: Web
Difficulty: Easy
Points: 100
Time Estimate: ~60 Minutes

🧠 Room Overview

The Love Letter Locker web app allows users to:

  • ✍️ Write Valentine’s letters

  • 🔒 Store them securely

  • 👀 Access them privately

Or at least… that’s what it claims.

Your mission:

🎯 Access other users' letters
🔎 Identify the vulnerability
🚩 Capture the flag

🖥️ Environment Setup

Before beginning:

  • Start your AttackBox (or connect via VPN)

  • Launch the Target Machine

  • Access the web app at:

http://MACHINE_IP:5000

Once loaded, you’ll see a simple interface for creating and viewing letters.

🔍 Initial Observation

After logging in and creating a letter, you’ll notice:

  • Each letter is assigned an ID

  • The letter is accessible via a URL parameter

  • The structure looks predictable

That’s where things get interesting…

🛠️ Investigation Approach (High-Level)

Instead of attacking blindly, we follow logical web testing steps:

1️⃣ Analyze URL Structure

  • Observe how letters are accessed

  • Identify parameters like:

    /letter?id=1

2️⃣ Test Authorization Controls

  • Check whether the application verifies ownership

  • Modify the ID value

  • Observe server response

3️⃣ Look for Access Control Weakness

If the application:

  • Does NOT verify whether the letter belongs to the logged-in user

  • Only relies on the ID parameter

Then we may have discovered a serious flaw.

🚨 Vulnerability Identified: IDOR

The application was vulnerable to:

Insecure Direct Object Reference (IDOR)

This means:

  • Objects (letters) are referenced directly via an ID

  • The server does not properly validate ownership

  • Users can access other users’ content simply by changing the ID

This is a common and dangerous access control vulnerability.

🏁 Final Flag

THM{1_c4n_r3ad_4ll_l3tters_w1th_th1s_1d0r}

✅ Challenge completed successfully!

📚 Key Security Lessons

This room highlights important web security principles:

🔐 Always enforce authorization checks server-side
🧩 Never trust user-controlled parameters
📦 Protect object references
🛡️ Implement proper access control validation

IDOR vulnerabilities are extremely common in real-world applications.

🎯 Why This Room Is Valuable

Love Letter Locker is perfect for:

  • Beginners learning web vulnerabilities

  • Understanding access control flaws

  • Practicing logical parameter manipulation

  • Building foundational penetration testing skills

It clearly demonstrates how small logic mistakes can lead to serious privacy breaches.

💡 Final Thoughts

The biggest takeaway:

Just because something is “hidden” doesn’t mean it’s secure.

Proper authorization is essential in any application that handles private data.

Comments

Post a Comment

Popular Posts